Members mailing list archives
[security] upgrade of web_notifyby
Camptocamp SA, Guewen Baconnier
A vulnerability has been fixed in the addon web_notify in versions 9.0, 10.0, 11.0. This addon is in https://github.com/OCA/web.
This module leverages the core notification system of Odoo and uses the bus channels to easily send notifications from the Backend's code. For this purpose, it adds 2 methods notify_info and notify_warning on the 'res.users' model.
Example from an Odoo method:
-> it will show a notification popup in the web interface of the current user, if the browser is still active on the web application.
# Problem Description
The notify methods are accessible from xml-rpc and there is no restriction for the target user of the notification. A user can send a notification crafted with malicious intention to another user. The other user has to be connected on Odoo to be vulnerable (receive the notification).
The patch forbids users, except admin, to send notifications to other users.
Upgrade the OCA/web repository or apply one of the patch from: